Cyber fraudsters using ‘Digital Lutera’ toolkit to bypass UPI security: Report

CloudSEK has warned of a new cyber fraud technique that manipulates Android devices, intercepts OTPs and bypasses UPI security; UPI custodian NPCI says robust safeguards exist to manage such risks

New Delhi: Online fraudsters are using new technology that bypasses security features of UPI apps to carry out financial transactions, cyber intelligence firm CloudSEK claimed in a report.

According to the report, the firm has identified at least 20 active groups on messaging platform Telegram, each with over 100 members, where a toolkit by the name of “Digital Lutera” is being discussed, distributed, and operationalised.

---

“This is not just another UPI malware variant. Digital Lutera represents a structural attack on device trust. When the operating system itself is manipulated, traditional safeguards like SIM-binding and app signature checks become unreliable. If left unaddressed, this could industrialise account takeovers at scale across the digital payments ecosystem,” CloudSEK, Threat Researcher, Shobhit Mishra said.

CloudSEK claims to have done an analysis of one such group alone which indicates that transactions worth Rs 25-30 lakh were processed over just two days, highlighting how quickly the fraud model is scaling and the number of victims’ connections.

UPI custodian National Payments Corporation of India (NPCI) said that the digital payment has robust checks in place to handle “such risks”. “NPCI has examined the report and clarifies that robust checks and safeguards are already in place to address such risks. UPI is designed with multiple layers of security and authentication mechanisms to ensure that transactions remain safe and secure,” an NPCI statement said.

NPCI said it continues to work closely with banks and ecosystem partners to monitor risks and strengthen security measures, ensuring that digital payments remain safe and reliable for users. SIM-binding has been treated as a proof that a bank account is securely tied to a specific device. UPI apps process transactions after verifying the SIM of the phone number with which the account associated with it is installed in the mobile phone.

CloudSEK said the attack typically begins when a user unknowingly installs a malicious APK disguised as something routine, such as a traffic fine notice or a wedding invitation. Once installed, the malware gains access to the victim’s phone’s SMS permissions.

Once the Digital Lutera tool kit is installed, attackers use a specialised Android framework tool on their own device to manipulate system-level identity and SMS functions. The attacker is then able to intercept registration messages meant for the banks and OTPs are silently forwarded to Telegram channels controlled by the attackers.

“Fake “sent” SMS entries are inserted into the phone’s message records to make everything appear legitimate. The result is disturbing: a victim’s UPI account can be registered and controlled on a completely different device — even though the actual SIM card never leaves the victim’s phone,” the report said.

The cyber intelligence firm said that after manipulating the android device, it makes the UPI app believe that messages for verification have genuinely emanated from the smartphone. CloudSEK said that it has informed relevant regulators and financial institutions to help them prepare and take proactive mitigation measures as part of responsible disclosure.